Searchlight Cyber details reconnaissance used by cybercriminals against energy companies on dark web
Dark web intelligence company Searchlight Cyber disclosed Tuesday that the predominant activity observed against the energy industry on the dark web is the ‘auctions’ for initial access to energy companies that routinely take place on these forums. Focusing in particular on how initial access to energy companies is routinely auctioned on dark web forums, the report combines analysis of threat activity over a year, from February 2022 to February this year, with advice on how security teams can use dark web intelligence to build threat models and improve their security.
“The report demonstrates that energy companies are routinely discussed on dark web forums – in particular – by threat actors auctioning initial access to remote software, VPNs, and stolen credentials,” Searchlight Cyber said in its report. “While they are primarily exploiting corporate infrastructure, Industrial Control Systems (ICS) and Operational Technology (OT) are also in the firing line.
The analysts also observe threat actors discussing ICS systems and sharing resources to help others conduct attacks. The report identified a threat actor sharing tutorials, papers, and documents, on ‘ICS/SCADA, PLC, RTU, HMI and any other components of industrial systems’ on the dark web forum BreachForums. In the comments below, other forum users thank the poster for sharing.
The Searchlight Cyber report also observed hackers discussing – and even publishing – access to ICS and OT. “While it falls outside of our research window, it is worth highlighting as an example of threat actors sharing what appears to be incredibly sensitive data related to ICS. We have redacted the name of the organization, which was used in this case, but from the file names it is clear that this data refers to operational technology,” it added.
Perhaps even more concerning is the post, identified by analysts on the CryptBB forum, the report disclosed. “Here, the poster claims to have ‘found’ some authentication disabled VNC servers connected to ‘water tanks, pool pumps, etc.,’ using the server search engine Shodan. While this individual says they have ‘no intention of screwing with it,’ broadcasting this information on a dark web forum could alert malicious threat actors to the vulnerability, and security teams to check their own infrastructure,” it added.
“Access to ICS systems is undoubtedly the highest priority concern of security professionals at energy organizations and I imagine many will be concerned to see this technology openly discussed on dark web forums,” Ian Garratt, threat intelligence analyst, wrote in the report. “It does, however, allow defenders to assess the capability of attackers with this information and monitor their evolution as credible threats over time. This underlines the need to continuously monitor for evidence that their infrastructure – corporate or industrial – has been compromised. As the Colonial Pipeline demonstrated, even compromised corporate systems can be enough to bring operational activity to a halt.”
The report revealed that threat actors often use the terms ‘Start,’ ‘Step,’ and ‘Blitz,’ indicating the start price, the increments of the bids, and a ‘buy-it-now’ price (blitz) for initial access. It also identified that most of these auction posts list the access type along with the country of the organization, its industry, and its revenue. Furthermore, several hackers post multiple ‘auctions’ impacting different organizations, suggesting that they are specialists in the initial access market.
“We observe listings for organizations in countries all over the world. The small sample in this report alone includes targets in the USA, Canada, UK, France, Italy, and Indonesia,” the Searchlight Cyber report said. “Listings also include companies across the spectrum of the energy sector – upstream, midstream, and downstream – in traditional energy companies such as oil and gas but also renewable energy organizations. “The dark web forum Exploit is the most popular site for these auctions but we have also observed activity on other forums such as RaidForums and BreachForums (now both closed),” it added.
The report also provides visibility into the cybercriminal reconnaissance that can help security teams to identify likely paths of attack, inform defenses, and help them prioritize imminent threats. It also delves into how energy organizations monitoring the dark web can use this intelligence to spot when they are being targeted and to prepare their defenses for the most likely types of attack based on the threats they observe against their peers.
“Energy organizations may not have historically considered themselves the primary target for financially-motivated cyberattacks emanating from the dark web but the cybersecurity landscape has changed dramatically over the past few years,” according to Gareth Owenson, CTO and co-founder at Searchlight Cyber. “Cybercriminals are no longer just focusing on asset-rich organizations like banks and insurance companies. They are increasingly targeting enterprises in industries such as healthcare, oil and gas, and manufacturing, to leverage the critical nature of these companies and extort ransoms. This makes dark web intelligence vital,” he added.
“While cybercriminals share this information with the intention of attracting buyers, visibility into auction activity on dark web forums offers security professionals a valuable opportunity to determine if their organization is being targeted,” Jim Simpson, director of threat intelligence, wrote in the report. “With information on the revenue, location, and technology of the potential victim, security teams can identify if they fit the profile and take mitigative action. Even if they don’t fit the exact profile of the victim, they know this is a tactic being used against other energy companies that they should factor into their threat modeling,” he added.
Threat Modeling is a process by which potential threats can be identified, enumerated, and prioritized, from a hypothetical attacker’s point of view. The intent is to provide defenders with a systematic analysis of the probable attacker’s profile, most likely attack vectors, and the assets most desired by an attacker.
It enables taking a more proactive approach to security by finding vulnerabilities while there is still time to fix them; saving time, revenue, and the reputation of a company by preventing costly and embarrassing security breaches; documenting identified threats that the organization could face, to aid prioritization and risk assessment, apart from uncovering new intelligence and gaining awareness of the latest risks and vulnerabilities.
The Searchlight Cyber report identified that the “real power of dark web intelligence comes from specificity and actionability. If their threat models are working correctly, energy organizations can use dark web data to identify activity that is likely to impact them and adjust their security procedures accordingly. As we have demonstrated, this can often be determined by identifying if they match the profile of organizations being targeted – based on the geography, revenue, and software referenced in the listings.”
However, it added that energy companies shouldn’t stop there. “They should also be monitoring the dark web for the exposure of their suppliers, to identify if they are being targeted in the dark web, have exploits that are being discussed on dark web forums, and are leaving the company vulnerable to attack. By building threat models, and feeding them with intelligence gathered from the dark web, energy organizations can identify threats against their organizations from right at the beginning of the Cyber Kill Chain, which allows their security posture to be much more responsive to emerging attacks.”
The report also outlines how companies in the energy sector can leverage this type of intelligence for threat modeling.
The Searchlight Cyber report comes when cyber risks to energy systems continue to increase, both from nation-states and criminal actors.
In his testimony to the U.S. House Energy and Commerce Committee this week, Puesh Kumar, director of the Office of Cybersecurity, Energy Security, and Emergency Response (CESER) at the Department of Energy (DOE), wrote that “from 2019 through 2023, each Annual Threat Assessment of the U.S. Intelligence Community from the Director of National Intelligence has pointed to persistent and malicious cyber threats facing U.S. infrastructure. These reports are clear: the cyber actors targeting U.S. energy infrastructure are a threat to national security.”
The reports note that both Russia and the People’s Republic of China can launch cyber-attacks against U.S. energy infrastructure that could disrupt critical energy services, Kumar added.
Related
